A hacker stole NFTs worth more than $1.7 million from OpenSea users using a phishing attack. The attacker stole 254 NFTs, including Decentraland and Bored Ape Yacht Club tokens.
The attacker tricked the targets into signing a partial contract which gave the attacker complete control. For the targets, this was basically like signing a blank check.
The attacker tricked 32 victims into signing a malicious payload through a phishing attack. The payload then authorized the transfer of ownership of the NFTs to the attacker for free.
For context, OpenSea is one of the largest NFT marketplaces on the internet. The hackers exploited a vulnerability in the platform’s new Wyvern smart contract system. The system is used in many NFT smart contracts.
Since the NFT boom, OpenSea has become one of the most valued platforms in this industry. It provides a simple marketplace for users to list, browse, and bid on NFTs. However, this sudden success has come with some security risks.
The company has faced numerous vulnerabilities that let hackers steal from its users. The phishing attack occurred when OpenSea was migrating to the new Wyvern system. CEO Devin Finzer explained the phishing attack on a Twitter thread.
“32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue”.Nadav Hollander, OpenSea CTO